Most computer users need to set and remember numerous passwords for various systems and applications they access. Traditionally, a user had to write all of these passwords and user names on a piece of paper or a number of reminder notes. These mechanisms for managing the plethora of required passwords are either not secure, inconvenient to use, or both.
A variety of software based password managers have been developed to address this problem. Such password management tools allow users to store passwords on their PCs and access these passwords with a single master password. As can be seen with reference to FIG. 1, a computing system 100 is shown comprising a user display 104, a processor 108, memory 112, and a number of user input devices 116, 120. These types of computing systems 100 utilize the memory 112 to store the password management tool. Thus, when a user needs to access the passwords in the password management tool, the user only needs to provide the proper entry (e.g., a master password) via the keyboard 116. Then, the processor 108 is able to retrieve the necessary passwords from the password management tool stored in memory 112.
The problem common to these types of password management tools is that the master password file is simply a file on the user's PC that can be copied by malware (i.e., a virus) to a remote location. Once at the remote location, an attacker can decrypt the file using brute force techniques (i.e., by trying all possible master passwords). Storing passwords in an encrypted master password file is more secure than having them written down. However, given the prevalence and advancement of viruses being capable of collecting information from a user's PC and transmitting this information to a remote location makes these techniques considerably less secure than they appear.
U.S. Pat. No. 7,092,915 provides an attempt to address the above-described shortcomings in password management tools. More specifically, the '915 patent teaches a method of storing passwords in a mobile device, such as a PDA, that has the stored passwords input to the PC applications using a special driver. While this presents an improvement in the art, it fundamentally just pushes the same problem from the PC to the PDA, which is itself a general purpose computer that is also subject to malware attacks.